@rubytech/create-realagent 1.0.677 → 1.0.680

package/payload/server/server.js

@@ -13,7 +13,6 @@ import {
   clearRateLimit,
   createRemoteSession,
   hashPassword,
-  invalidateRemoteSession,
   isPasswordValid,
   isRemoteAuthConfigured,
   recordFailedAttempt,
@@ -25,7 +24,7 @@ import {
   verifyPassword,
   verifyRemotePassword,
   vncLog
-} from "./chunk-5YIXIF6C.js";
+} from "./chunk-3RBKKDHC.js";
 
 // ../lib/models/dist/index.js
 var require_dist = __commonJS({
@@ -2895,7 +2894,7 @@ var serveStatic = (options = { root: "" }) => {
 };
 
 // server/index.ts
-import { readFileSync as readFileSync24, existsSync as existsSync23, watchFile } from "fs";
+import { readFileSync as readFileSync25, existsSync as existsSync23, watchFile } from "fs";
 import { resolve as resolve27, join as join12, basename as basename7 } from "path";
 import { homedir as homedir4 } from "os";
 
@@ -2908,7 +2907,7 @@ import { spawn as spawn2, spawnSync as spawnSync2 } from "child_process";
 import { randomUUID as randomUUID2 } from "crypto";
 import { resolve as resolve5, join as join3 } from "path";
 import { platform as osPlatform } from "os";
-import { readFileSync as readFileSync6, writeFileSync as writeFileSync5, readdirSync as readdirSync2, existsSync as existsSync5, mkdirSync as mkdirSync4, createWriteStream, statSync as statSync3, unlinkSync as unlinkSync3, cpSync, rmSync as rmSync2, appendFileSync, openSync as openSync2, readSync as readSync2, closeSync as closeSync2 } from "fs";
+import { readFileSync as readFileSync7, writeFileSync as writeFileSync5, readdirSync as readdirSync2, existsSync as existsSync5, mkdirSync as mkdirSync4, createWriteStream, statSync as statSync3, unlinkSync as unlinkSync3, cpSync, rmSync as rmSync2, appendFileSync, openSync as openSync2, readSync as readSync2, closeSync as closeSync2 } from "fs";
 import { lookup as dnsLookup } from "dns/promises";
 import { createConnection as netConnect } from "net";
 import { StringDecoder } from "string_decoder";
@@ -5803,6 +5802,101 @@ async function criticAndRecord(opts) {
   }
 }
 
+// app/lib/admin-schema-block.ts
+import { readFileSync as readFileSync6 } from "fs";
+var EDGE_TAXONOMY = [
+  { type: "PART_OF", direction: "(Message)-[:PART_OF]->(Conversation)", note: "Messages belong to exactly one Conversation. Do NOT use :HAS_MESSAGE \u2014 that edge does not exist." },
+  { type: "NEXT", direction: "(Message)-[:NEXT]->(Message)", note: "Chain order within a Conversation. Each Message has at most one NEXT successor." },
+  { type: "BELONGS_TO", direction: "(Conversation|Task|...)-[:BELONGS_TO]->(LocalBusiness)", note: "Account scope. Universal \u2014 almost every tenant-owned node has one." },
+  { type: "ADMIN_OF", direction: "(AdminUser)-[:ADMIN_OF]->(LocalBusiness)", note: "Device-level admin membership (see admin-add / admin-remove)." },
+  { type: "AUTHORED_BY", direction: "(Message)-[:AUTHORED_BY]->(Person)", note: "Message authorship (when the author is an identified Person)." },
+  { type: "HAS_TOOL_CALL", direction: "(Message)-[:HAS_TOOL_CALL]->(ToolCall)", note: "Tool calls attached to an assistant message." },
+  { type: "HAS_RESULT", direction: "(WorkflowStep|ToolCall)-[:HAS_RESULT]->(StepResult)", note: "Workflow step / tool-call outputs." },
+  { type: "HAS_STEP", direction: "(Workflow)-[:HAS_STEP]->(WorkflowStep)", note: "Workflow composition." },
+  { type: "RUN_OF", direction: "(WorkflowRun)-[:RUN_OF]->(Workflow)", note: "Workflow execution instance." },
+  { type: "HAS_SECTION", direction: "(KnowledgeDocument)-[:HAS_SECTION]->(Section)", note: "Document hierarchy." },
+  { type: "HAS_CHUNK", direction: "(Section)-[:HAS_CHUNK]->(Chunk)", note: "Section-to-embeddable-chunk." },
+  { type: "HAS_PREFERENCE", direction: "(Person)-[:HAS_PREFERENCE]->(Preference)", note: "Person-scoped preferences (profile memory)." },
+  { type: "HAS_ACCESS", direction: "(Person)-[:HAS_ACCESS]->(AccessGrant)", note: "Public agent access grants." },
+  { type: "HAS_TASK", direction: "(Person|LocalBusiness)-[:HAS_TASK]->(Task)", note: "Task ownership / assignment." },
+  { type: "HAS_PRICING", direction: "(Service)-[:HAS_PRICING]->(PriceSpecification)", note: "Service pricing." },
+  { type: "HAS_HOURS", direction: "(LocalBusiness)-[:HAS_HOURS]->(OpeningHoursSpecification)", note: "Opening hours." },
+  { type: "HAS_FAQ", direction: "(LocalBusiness)-[:HAS_FAQ]->(Question)", note: "FAQ attached to business." },
+  { type: "HAS_BRAND_ASSET", direction: "(LocalBusiness)-[:HAS_BRAND_ASSET]->(DigitalDocument|ImageObject)", note: "Branding assets." },
+  { type: "OFFERS", direction: "(LocalBusiness)-[:OFFERS]->(Service)", note: "Service catalogue." },
+  { type: "CONTAINS", direction: "(KnowledgeDocument)-[:CONTAINS]->(Chunk)", note: "Flat document-to-chunk (alternative to HAS_SECTION then HAS_CHUNK)." },
+  { type: "REFERENCES", direction: "(Message|KnowledgeDocument)-[:REFERENCES]->(*)", note: "Soft reference link." },
+  { type: "ABOUT", direction: "(Review|Message)-[:ABOUT]->(*)", note: "Subject pointer." },
+  { type: "REPLY_TO", direction: "(Email)-[:REPLY_TO]->(Email)", note: "Email threading." },
+  { type: "RECEIVED_BY", direction: "(Email)-[:RECEIVED_BY]->(Person)", note: "Email recipient." },
+  { type: "RAISED_BY", direction: "(ReviewAlert)-[:RAISED_BY]->(*)", note: "Alert provenance." },
+  { type: "AFFECTS", direction: "(ReviewAlert)-[:AFFECTS]->(*)", note: "Alert impact surface." },
+  { type: "BLOCKS", direction: "(Task)-[:BLOCKS]->(Task)", note: "Task dependency." },
+  { type: "OBSERVED_IN", direction: "(*)-[:OBSERVED_IN]->(Conversation)", note: "Observation provenance." }
+];
+var SUBLABELS = [
+  { base: "Conversation", sub: "AdminConversation", note: "Admin-only conversation (admin chat, not public)." },
+  { base: "Conversation", sub: "PublicConversation", note: "Public agent conversation (visitor-facing)." },
+  { base: "Message", sub: "UserMessage", note: "Message authored by the human user." },
+  { base: "Message", sub: "AssistantMessage", note: "Message authored by the assistant." }
+];
+var LABEL_PATTERN = /FOR\s*\(\s*\w+\s*:\s*(\w+)\s*\)/g;
+function parseLabelsFromSchemaCypher(schemaCypher) {
+  const found = /* @__PURE__ */ new Set();
+  for (const match2 of schemaCypher.matchAll(LABEL_PATTERN)) {
+    found.add(match2[1]);
+  }
+  return [...found].sort();
+}
+function buildSchemaBlock(schemaCypherText) {
+  const baseLabels = parseLabelsFromSchemaCypher(schemaCypherText);
+  const sublabels = SUBLABELS.map((s) => s.sub);
+  const lines = [];
+  lines.push("# SCHEMA (Neo4j graph, canonical reference)");
+  lines.push("");
+  lines.push("The Neo4j instance backing this admin session contains exactly the labels and relationship types below. Never invent names outside this list. If you need cypher against a token not listed here, first invoke `maxy-graph-get_neo4j_schema` to confirm it exists \u2014 do not guess.");
+  lines.push("");
+  lines.push("## Labels (from platform/neo4j/schema.cypher)");
+  lines.push("");
+  for (const label of baseLabels) {
+    lines.push(`- :${label}`);
+  }
+  lines.push("");
+  lines.push("### Sublabels (Task 633 role-cue variants)");
+  lines.push("");
+  for (const s of SUBLABELS) {
+    lines.push(`- :${s.sub} (on :${s.base}) \u2014 ${s.note}`);
+  }
+  lines.push("");
+  lines.push("## Relationship types (from .docs/neo4j.md)");
+  lines.push("");
+  for (const e of EDGE_TAXONOMY) {
+    lines.push(`- :${e.type} \u2014 ${e.direction} \u2014 ${e.note}`);
+  }
+  lines.push("");
+  lines.push("The cypher MCP validator (graph-mcp proxy, Task 654) rejects write cypher that references unknown labels or edges and warns on read cypher. Stick to the taxonomy above; if you believe a token is missing, invoke `maxy-graph-get_neo4j_schema` for the live snapshot.");
+  const text = lines.join("\n");
+  return {
+    text,
+    labelCount: baseLabels.length + sublabels.length,
+    relationshipTypeCount: EDGE_TAXONOMY.length,
+    bytes: Buffer.byteLength(text, "utf-8")
+  };
+}
+function loadAdminSchemaBlock(schemaCypherPath) {
+  let text;
+  try {
+    text = readFileSync6(schemaCypherPath, "utf-8");
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.error(
+      `[admin-identity] schema.cypher unreadable path=${schemaCypherPath} error="${msg.replace(/"/g, "'")}" block=omitted`
+    );
+    return null;
+  }
+  return buildSchemaBlock(text);
+}
+
 // app/lib/claude-agent.ts
 var LOG_RETENTION_DAYS = 7;
 var BROWSER_TOOL_PREFIXES = [
@@ -6063,7 +6157,7 @@ function sampleProcState(pid) {
       let sockets2 = 0;
       for (const tcpFile of ["/proc/" + pid + "/net/tcp", "/proc/" + pid + "/net/tcp6"]) {
         try {
-          const raw2 = readFileSync6(tcpFile, "utf-8");
+          const raw2 = readFileSync7(tcpFile, "utf-8");
           const lines2 = raw2.split("\n");
           for (let i = 1; i < lines2.length; i++) {
             const line = lines2[i].trim();
@@ -6079,7 +6173,7 @@ function sampleProcState(pid) {
       }
       let rssMb = 0;
       try {
-        const statm = readFileSync6(`/proc/${pid}/statm`, "utf-8").trim().split(/\s+/);
+        const statm = readFileSync7(`/proc/${pid}/statm`, "utf-8").trim().split(/\s+/);
         const rssPages = parseInt(statm[1] ?? "0", 10);
         if (Number.isFinite(rssPages)) rssMb = Math.round(rssPages * 4096 / (1024 * 1024));
       } catch {
@@ -6126,7 +6220,7 @@ function resolveAccount() {
   let usersJsonUserId = null;
   if (existsSync5(usersFilePath)) {
     try {
-      const raw2 = readFileSync6(usersFilePath, "utf-8").trim();
+      const raw2 = readFileSync7(usersFilePath, "utf-8").trim();
       if (raw2) {
         const users = JSON.parse(raw2);
         if (users.length > 0) {
@@ -6142,7 +6236,7 @@ function resolveAccount() {
     if (!entry.isDirectory()) continue;
     const configPath2 = resolve5(ACCOUNTS_DIR, entry.name, "account.json");
     if (!existsSync5(configPath2)) continue;
-    const raw2 = readFileSync6(configPath2, "utf-8");
+    const raw2 = readFileSync7(configPath2, "utf-8");
     let config;
     try {
       config = JSON.parse(raw2);
@@ -6177,7 +6271,7 @@ function resolveAccount() {
 function readAgentFile(accountDir, agentName, filename) {
   const filePath = resolve5(accountDir, "agents", agentName, filename);
   if (!existsSync5(filePath)) return null;
-  return readFileSync6(filePath, "utf-8");
+  return readFileSync7(filePath, "utf-8");
 }
 function readIdentity(accountDir, agentName) {
   return readAgentFile(accountDir, agentName, "IDENTITY.md");
@@ -6219,7 +6313,7 @@ function resolveDefaultAgentSlug(accountDir) {
   }
   let config;
   try {
-    config = JSON.parse(readFileSync6(configPath2, "utf-8"));
+    config = JSON.parse(readFileSync7(configPath2, "utf-8"));
   } catch (err) {
     console.error("[agent-resolve] failed to read account.json:", err);
     return null;
@@ -6310,14 +6404,14 @@ function resolveAgentConfig(accountDir, agentName) {
     const knowledgeMtime = statSync3(knowledgePath).mtimeMs;
     const summaryMtime = statSync3(summaryPath).mtimeMs;
     if (summaryMtime >= knowledgeMtime) {
-      knowledge = readFileSync6(summaryPath, "utf-8");
+      knowledge = readFileSync7(summaryPath, "utf-8");
     } else {
       console.warn(`[agent-config] ${agentName}: KNOWLEDGE-SUMMARY.md is stale (KNOWLEDGE.md is newer) \u2014 using full knowledge`);
-      knowledge = readFileSync6(knowledgePath, "utf-8");
+      knowledge = readFileSync7(knowledgePath, "utf-8");
     }
     knowledgeBaked = true;
   } else if (hasKnowledge) {
-    knowledge = readFileSync6(knowledgePath, "utf-8");
+    knowledge = readFileSync7(knowledgePath, "utf-8");
     knowledgeBaked = true;
   }
   let budget = null;
@@ -6343,7 +6437,7 @@ function parsePluginFrontmatter(pluginDir) {
   if (!existsSync5(pluginPath)) return null;
   let raw2;
   try {
-    raw2 = readFileSync6(pluginPath, "utf-8");
+    raw2 = readFileSync7(pluginPath, "utf-8");
   } catch {
     console.warn(`[plugins] cannot read ${pluginPath}`);
     return null;
@@ -6419,7 +6513,7 @@ function autoDeliverPremiumPlugins(purchasedPlugins) {
     if (isBundle) {
       let bundleRaw;
       try {
-        bundleRaw = readFileSync6(bundlePath, "utf-8");
+        bundleRaw = readFileSync7(bundlePath, "utf-8");
       } catch (err) {
         console.log(`${TAG19} ${pluginName}: cannot read BUNDLE.md \u2014 ${err instanceof Error ? err.message : String(err)}`);
         continue;
@@ -6512,7 +6606,7 @@ function migratePluginRenames(accountDir, config) {
   if (!changed) return;
   const configPath2 = resolve5(accountDir, "account.json");
   try {
-    const raw2 = readFileSync6(configPath2, "utf-8");
+    const raw2 = readFileSync7(configPath2, "utf-8");
     const parsed = JSON.parse(raw2);
     parsed.enabledPlugins = migrated;
     writeFileSync5(configPath2, JSON.stringify(parsed, null, 2) + "\n");
@@ -6546,7 +6640,7 @@ function autoDeliverBundleAgents(accountDir, purchasedPlugins) {
   const agentsmdPath = resolve5(accountDir, "agents", "admin", "AGENTS.md");
   let agentsmd = "";
   try {
-    agentsmd = existsSync5(agentsmdPath) ? readFileSync6(agentsmdPath, "utf-8") : "";
+    agentsmd = existsSync5(agentsmdPath) ? readFileSync7(agentsmdPath, "utf-8") : "";
   } catch {
   }
   let delivered = 0;
@@ -6570,7 +6664,7 @@ function autoDeliverBundleAgents(accountDir, purchasedPlugins) {
         continue;
       }
       try {
-        const content = readFileSync6(target, "utf-8");
+        const content = readFileSync7(target, "utf-8");
         const fmMatch = content.match(/^---\n([\s\S]*?)\n---/);
         if (fmMatch) {
           const nameMatch = fmMatch[1].match(/^name:\s*(.+)/m);
@@ -6606,7 +6700,7 @@ function assemblePublicPluginContent(pluginDir) {
   const pluginPath = resolve5(pluginRoot, "PLUGIN.md");
   let raw2;
   try {
-    raw2 = readFileSync6(pluginPath, "utf-8");
+    raw2 = readFileSync7(pluginPath, "utf-8");
   } catch {
     return null;
   }
@@ -6627,7 +6721,7 @@ function assemblePublicPluginContent(pluginDir) {
     const skillMdPath = resolve5(skillDir, "SKILL.md");
     let skillRaw;
     try {
-      skillRaw = readFileSync6(skillMdPath, "utf-8");
+      skillRaw = readFileSync7(skillMdPath, "utf-8");
     } catch {
       continue;
     }
@@ -6678,7 +6772,7 @@ function assemblePublicPluginContent(pluginDir) {
     }
     for (const refFile of refFiles) {
       try {
-        const refContent = readFileSync6(resolve5(refsDir, refFile), "utf-8").trim();
+        const refContent = readFileSync7(resolve5(refsDir, refFile), "utf-8").trim();
         if (refContent) {
           parts.push(`
 <!-- reference: ${refFile} -->`);
@@ -6752,7 +6846,7 @@ function loadEmbeddedPlugins(agentType, selectedPlugins, enabledPlugins) {
       const pluginPath = resolve5(pluginsDir, dir, "PLUGIN.md");
       let raw2;
       try {
-        raw2 = readFileSync6(pluginPath, "utf-8");
+        raw2 = readFileSync7(pluginPath, "utf-8");
       } catch (err) {
         console.warn(`[plugins] ${dir}: failed to read PLUGIN.md for ${agentType} embed: ${String(err)}`);
         continue;
@@ -7098,7 +7192,7 @@ function resolveUserAccounts(userId) {
     if (!existsSync5(configPath2)) continue;
     let config;
     try {
-      config = JSON.parse(readFileSync6(configPath2, "utf-8"));
+      config = JSON.parse(readFileSync7(configPath2, "utf-8"));
     } catch {
       console.error(`[session] account.json corrupt at ${configPath2} \u2014 skipping`);
       continue;
@@ -7168,8 +7262,75 @@ function clearSessionHistory(sessionKey) {
   session.stalledSubagents = void 0;
   session.pendingTrimmedMessages = void 0;
   session.pendingCommitmentOffers = void 0;
+  session.pendingTurns = void 0;
   return previousConversationId;
 }
+function bufferPendingTurn(sessionKey, turn) {
+  const session = sessionStore.get(sessionKey);
+  if (!session) {
+    console.error(`[conversation-gate] bufferPendingTurn: session not found sessionKey=${sessionKey.slice(0, 8)}\u2026`);
+    return;
+  }
+  if (!session.pendingTurns) session.pendingTurns = [];
+  session.pendingTurns.push(turn);
+  console.log(`[conversation-gate] ${(/* @__PURE__ */ new Date()).toISOString()} buffered sessionKey=${sessionKey.slice(0, 8)} role=${turn.role} turnCount=${session.pendingTurns.filter((t) => t.role === "user").length}`);
+}
+function getPendingTurnCount(sessionKey) {
+  const buf = sessionStore.get(sessionKey)?.pendingTurns;
+  if (!buf) return 0;
+  let n = 0;
+  for (const t of buf) if (t.role === "user") n++;
+  return n;
+}
+function drainPendingTurns(sessionKey) {
+  const session = sessionStore.get(sessionKey);
+  if (!session?.pendingTurns || session.pendingTurns.length === 0) return void 0;
+  const drained = session.pendingTurns;
+  session.pendingTurns = void 0;
+  return drained;
+}
+async function maybeFlushConversationBuffer(sessionKey, agentType, accountId) {
+  const session = sessionStore.get(sessionKey);
+  if (!session) return null;
+  if (session.conversationId) return session.conversationId;
+  if (getPendingTurnCount(sessionKey) < 2) return null;
+  if (session.flushInFlight) return session.flushInFlight;
+  const attempt = (async () => {
+    let conversationId = null;
+    if (agentType === "admin") {
+      const userId = session.userId;
+      if (!userId) {
+        console.error(`[conversation-gate] flush aborted: admin session missing userId sessionKey=${sessionKey.slice(0, 8)}\u2026`);
+        return null;
+      }
+      conversationId = await createNewAdminConversation(userId, accountId, sessionKey);
+    } else {
+      conversationId = await ensureConversation(accountId, "public", sessionKey, void 0, void 0, void 0);
+    }
+    if (!conversationId) return null;
+    session.conversationId = conversationId;
+    const buffered = drainPendingTurns(sessionKey) ?? [];
+    for (const turn of buffered) {
+      persistMessage(conversationId, turn.role, turn.content, accountId, turn.tokens, turn.timestamp, turn.sender).catch((err) => {
+        console.error(`[conversation-gate] replay persistMessage failed role=${turn.role}: ${err instanceof Error ? err.message : String(err)}`);
+      });
+    }
+    console.log(`[conversation-gate] ${(/* @__PURE__ */ new Date()).toISOString()} flushed sessionKey=${sessionKey.slice(0, 8)} conversationId=${conversationId.slice(0, 8)} bufferedMessages=${buffered.length} agentType=${agentType}`);
+    return conversationId;
+  })();
+  session.flushInFlight = attempt;
+  try {
+    return await attempt;
+  } finally {
+    if (session.flushInFlight === attempt) session.flushInFlight = void 0;
+  }
+}
+function isDmChannelSessionKey(sessionKey) {
+  return sessionKey.startsWith("whatsapp:") || sessionKey.startsWith("telegram:");
+}
+function preflushStreamLogKey(sessionKey) {
+  return `preflush-${sessionKey.slice(0, 12)}`;
+}
 function getAgentNameForSession(sessionKey) {
   return sessionStore.get(sessionKey)?.agentName;
 }
@@ -7347,7 +7508,7 @@ function readBrandHostname() {
   if (cachedBrandHostname !== null) return cachedBrandHostname;
   try {
     const brandPath = resolve5(PLATFORM_ROOT3, "config", "brand.json");
-    const parsed = JSON.parse(readFileSync6(brandPath, "utf-8"));
+    const parsed = JSON.parse(readFileSync7(brandPath, "utf-8"));
     cachedBrandHostname = typeof parsed.hostname === "string" && parsed.hostname.length > 0 ? parsed.hostname : "maxy";
   } catch {
     cachedBrandHostname = "maxy";
@@ -9062,20 +9223,24 @@ async function* invokeAdminAgent(message, systemPrompt, accountDir, accountId, a
   const userTimestamp = clientTimestamp ?? (/* @__PURE__ */ new Date()).toISOString();
   const resumeSessionId = sessionKey ? getAgentSessionId(sessionKey) : void 0;
   const spawnConvId = sessionKey ? getConversationIdForSession(sessionKey) : void 0;
-  if (!spawnConvId) {
-    throw new Error(`invokeAdminAgent: conversationId missing for sessionKey=${sessionKey?.slice(0, 8) ?? "none"} \u2014 ensureConversation must run before invoking the agent`);
+  if (!spawnConvId && sessionKey && getPendingTurnCount(sessionKey) >= 2) {
+    throw new Error(`invokeAdminAgent: conversationId missing post-flush for sessionKey=${sessionKey.slice(0, 8)} \u2014 maybeFlushConversationBuffer must bind it before invoking the agent`);
+  }
+  const spawnLogKey = spawnConvId ?? (sessionKey ? preflushStreamLogKey(sessionKey) : void 0);
+  if (!spawnLogKey) {
+    throw new Error(`invokeAdminAgent: sessionKey required \u2014 cannot resolve log stream without one`);
   }
   const cdpOk = await ensureCdp();
   if (!cdpOk) {
-    const cdpLog = agentLogStream("claude-agent-stream", accountDir, spawnConvId);
+    const cdpLog = agentLogStream("claude-agent-stream", accountDir, spawnLogKey);
     cdpLog.write(`[${isoTs()}] [warn] ensureCdp failed \u2014 browser-specialist degraded
 `);
     cdpLog.end();
   }
   const ccUserId = sessionKey ? getUserIdForSession(sessionKey) : void 0;
-  const mcpConfig = JSON.stringify({ mcpServers: getMcpServers(accountId, spawnConvId, ccUserId, enabledPlugins) });
+  const mcpConfig = JSON.stringify({ mcpServers: getMcpServers(accountId, spawnLogKey, ccUserId, enabledPlugins) });
   const specialistsDir = resolve5(accountDir, "specialists");
-  if (!existsSync5(specialistsDir)) agentLogStream("claude-agent-stream", accountDir, spawnConvId).write(`[${isoTs()}] [warn] specialists plugin dir missing: ${specialistsDir}
+  if (!existsSync5(specialistsDir)) agentLogStream("claude-agent-stream", accountDir, spawnLogKey).write(`[${isoTs()}] [warn] specialists plugin dir missing: ${specialistsDir}
 `);
   const args = [
     "--print",
@@ -9106,19 +9271,19 @@ async function* invokeAdminAgent(message, systemPrompt, accountDir, accountId, a
     cwd: accountDir,
     stdio: ["ignore", "pipe", "pipe"],
     // Task 556: STREAM_LOG_PATH inherited by Bash-tool subprocesses.
-    env: buildSpawnEnv(accountId, accountDir, spawnConvId)
+    env: buildSpawnEnv(accountId, accountDir, spawnLogKey)
   });
-  const stderrLog = agentLogStream("claude-agent-stderr", accountDir, spawnConvId);
+  const stderrLog = agentLogStream("claude-agent-stderr", accountDir, spawnLogKey);
   stderrLog.on("error", () => {
   });
   proc.stderr?.pipe(stderrLog);
-  const streamLog = agentLogStream("claude-agent-stream", accountDir, spawnConvId);
+  const streamLog = agentLogStream("claude-agent-stream", accountDir, spawnLogKey);
   streamLog.on("error", () => {
   });
   teeProcStderrToStreamLog(proc, streamLog);
   streamLog.write(`[${isoTs()}] [subproc-debug-unavailable] reason=bundled-bun-binary-ignores-node-debug pid=${proc.pid} cli=claude
 `);
-  streamLog.write(`[${isoTs()}] [spawn-env] STREAM_LOG_PATH=set pid=${proc.pid} conversationId=${spawnConvId} site=admin
+  streamLog.write(`[${isoTs()}] [spawn-env] STREAM_LOG_PATH=set pid=${proc.pid} conversationId=${spawnConvId ?? "preflush"} logKey=${spawnLogKey} site=admin
 `);
   if (sessionKey) {
     const prev = activeProcesses.get(sessionKey);
@@ -9128,7 +9293,7 @@ async function* invokeAdminAgent(message, systemPrompt, accountDir, accountId, a
     }
     activeProcesses.set(sessionKey, { pid: proc.pid, spawnedAt: Date.now() });
   }
-  streamLog.write(`[${isoTs()}] [spawn] pid=${proc.pid} resume=${resumeSessionId ?? "none"} sessionKey=${sessionKey ?? "none"} conversationId=${spawnConvId} pluginDir=${specialistsDir}
+  streamLog.write(`[${isoTs()}] [spawn] pid=${proc.pid} resume=${resumeSessionId ?? "none"} sessionKey=${sessionKey ?? "none"} conversationId=${spawnConvId ?? "preflush"} logKey=${spawnLogKey} pluginDir=${specialistsDir}
 `);
   streamLog.write(`[${isoTs()}] [stdin] len=${fullMessage.length} preview=${JSON.stringify(fullMessage.slice(0, 80))}
 `);
@@ -9200,7 +9365,7 @@ async function* invokeAdminAgent(message, systemPrompt, accountDir, accountId, a
     }
     if (event.type === "usage" && sessionKey && currentAgentSessionId) {
       const peakReqPct = event.peak_request_pct ?? 0;
-      if (peakReqPct >= COMPACTION_THRESHOLD) {
+      if (peakReqPct >= COMPACTION_THRESHOLD && spawnConvId) {
         const compactionIter = runCompactionTurn(accountDir, accountId, systemPrompt, currentAgentSessionId, adminModel, spawnConvId, enabledPlugins);
         let step = await compactionIter.next();
         while (!step.done) {
@@ -9310,9 +9475,9 @@ async function* invokeAdminAgent(message, systemPrompt, accountDir, accountId, a
       } else {
         gotDone = true;
         if (!sessionWasReset) {
+          const assistantTimestamp = (/* @__PURE__ */ new Date()).toISOString();
           const convId = sessionKey ? sessionStore.get(sessionKey)?.conversationId : void 0;
           if (convId) {
-            const assistantTimestamp = (/* @__PURE__ */ new Date()).toISOString();
             persistMessage(convId, "user", fullMessage, accountId, void 0, userTimestamp).catch(() => {
             });
             autoLabelSession(convId, fullMessage).catch(() => {
@@ -9320,7 +9485,14 @@ async function* invokeAdminAgent(message, systemPrompt, accountDir, accountId, a
             if (responseText) persistMessage(convId, "assistant", responseText, accountId, capturedTokens, assistantTimestamp).catch(() => {
             });
           } else if (sessionKey) {
-            console.warn(`[persist] skipped: no conversationId for sessionKey=${sessionKey.slice(0, 12)}\u2026 (session registered=${sessionStore.has(sessionKey)})`);
+            bufferPendingTurn(sessionKey, { role: "user", content: fullMessage, timestamp: userTimestamp });
+            if (responseText) bufferPendingTurn(sessionKey, { role: "assistant", content: responseText, timestamp: assistantTimestamp, tokens: capturedTokens });
+            const flushedId = await maybeFlushConversationBuffer(sessionKey, "admin", accountId);
+            if (flushedId) {
+              autoLabelSession(flushedId, fullMessage).catch(() => {
+              });
+              yield { type: "conversation_attributed", conversationId: flushedId };
+            }
           }
           if (sessionKey) {
             const commitSession = sessionStore.get(sessionKey);
@@ -9383,9 +9555,10 @@ ${summary}`;
 async function* invokeManagedAdminAgent(message, systemPrompt, accountDir, accountId, adminModel, sessionKey, maxTurns = 20, attachments = [], retryCount = 0, enabledPlugins, clientTimestamp, adherenceConstraints, agentName) {
   const userTimestamp = clientTimestamp ?? (/* @__PURE__ */ new Date()).toISOString();
   const managedConvId = getConversationIdForSession(sessionKey);
-  if (!managedConvId) {
-    throw new Error(`invokeManagedAdminAgent: conversationId missing for sessionKey=${sessionKey.slice(0, 8)} \u2014 ensureConversation must run first`);
+  if (!managedConvId && getPendingTurnCount(sessionKey) >= 2) {
+    throw new Error(`invokeManagedAdminAgent: conversationId missing post-flush for sessionKey=${sessionKey.slice(0, 8)} \u2014 maybeFlushConversationBuffer must bind it first`);
   }
+  const managedLogKey = managedConvId ?? preflushStreamLogKey(sessionKey);
   const pendingTrimmed = consumePendingTrimmedMessages(sessionKey);
   if (pendingTrimmed && pendingTrimmed.length > 0) {
     const ok = await compactTrimmedMessages(accountId, pendingTrimmed);
@@ -9393,7 +9566,7 @@ async function* invokeManagedAdminAgent(message, systemPrompt, accountDir, accou
       storePendingTrimmedMessages(sessionKey, pendingTrimmed);
     }
   }
-  const streamLog = agentLogStream("claude-agent-stream", accountDir, managedConvId);
+  const streamLog = agentLogStream("claude-agent-stream", accountDir, managedLogKey);
   streamLog.on("error", () => {
   });
   const systemPromptTokens = estimateTokens(systemPrompt);
@@ -9424,7 +9597,7 @@ async function* invokeManagedAdminAgent(message, systemPrompt, accountDir, accou
   if (!cdpOk) streamLog.write(`[${isoTs()}] [warn] ensureCdp failed \u2014 browser-specialist degraded
 `);
   const managedUserId = getUserIdForSession(sessionKey);
-  const mcpConfig = JSON.stringify({ mcpServers: getMcpServers(accountId, managedConvId, managedUserId, enabledPlugins) });
+  const mcpConfig = JSON.stringify({ mcpServers: getMcpServers(accountId, managedLogKey, managedUserId, enabledPlugins) });
   const specialistsDir = resolve5(accountDir, "specialists");
   if (!existsSync5(specialistsDir)) streamLog.write(`[${isoTs()}] [warn] specialists plugin dir missing: ${specialistsDir}
 `);
@@ -9455,16 +9628,16 @@ async function* invokeManagedAdminAgent(message, systemPrompt, accountDir, accou
     cwd: accountDir,
     stdio: ["ignore", "pipe", "pipe"],
     // Task 556: STREAM_LOG_PATH inherited by Bash-tool subprocesses.
-    env: buildSpawnEnv(accountId, accountDir, managedConvId)
+    env: buildSpawnEnv(accountId, accountDir, managedLogKey)
   });
-  const stderrLog = agentLogStream("claude-agent-stderr", accountDir, managedConvId);
+  const stderrLog = agentLogStream("claude-agent-stderr", accountDir, managedLogKey);
   stderrLog.on("error", () => {
   });
   proc.stderr?.pipe(stderrLog);
   teeProcStderrToStreamLog(proc, streamLog);
   streamLog.write(`[${isoTs()}] [subproc-debug-unavailable] reason=bundled-bun-binary-ignores-node-debug pid=${proc.pid} cli=claude
 `);
-  streamLog.write(`[${isoTs()}] [spawn-env] STREAM_LOG_PATH=set pid=${proc.pid} conversationId=${managedConvId} site=managed
+  streamLog.write(`[${isoTs()}] [spawn-env] STREAM_LOG_PATH=set pid=${proc.pid} conversationId=${managedConvId ?? "preflush"} logKey=${managedLogKey} site=managed
 `);
   if (sessionKey) {
     const prev = activeProcesses.get(sessionKey);
@@ -9474,13 +9647,13 @@ async function* invokeManagedAdminAgent(message, systemPrompt, accountDir, accou
     }
     activeProcesses.set(sessionKey, { pid: proc.pid, spawnedAt: Date.now() });
   }
-  streamLog.write(`[${isoTs()}] [managed-spawn] pid=${proc.pid} sessionKey=${sessionKey} conversationId=${managedConvId} historyMessages=${history.length} pluginDir=${specialistsDir}
+  streamLog.write(`[${isoTs()}] [managed-spawn] pid=${proc.pid} sessionKey=${sessionKey} conversationId=${managedConvId ?? "preflush"} logKey=${managedLogKey} historyMessages=${history.length} pluginDir=${specialistsDir}
 `);
   streamLog.write(`[${isoTs()}] [stdin] len=${fullMessage.length} preview=${JSON.stringify(fullMessage.slice(0, 80))}
 `);
   proc.on("exit", (code, signal) => {
-    console.log(`[process-exit] pid=${proc.pid} code=${code} signal=${signal} sessionKey=${sessionKey ?? "none"} conversationId=${managedConvId}`);
-    if (!streamLog.destroyed && !streamLog.writableEnded) streamLog.write(`[${isoTs()}] [process-exit] pid=${proc.pid} code=${code} signal=${signal} conversationId=${managedConvId}
+    console.log(`[process-exit] pid=${proc.pid} code=${code} signal=${signal} sessionKey=${sessionKey ?? "none"} conversationId=${managedConvId ?? "preflush"}`);
+    if (!streamLog.destroyed && !streamLog.writableEnded) streamLog.write(`[${isoTs()}] [process-exit] pid=${proc.pid} code=${code} signal=${signal} conversationId=${managedConvId ?? "preflush"}
 `);
     if (sessionKey) activeProcesses.delete(sessionKey);
   });
@@ -9630,17 +9803,24 @@ async function* invokeManagedAdminAgent(message, systemPrompt, accountDir, accou
 `);
           const successSession = sessionStore.get(sessionKey);
           if (successSession) successSession.lastPeakContextPct = peakContextPct;
+          const assistantTimestamp = (/* @__PURE__ */ new Date()).toISOString();
           const convId = sessionStore.get(sessionKey)?.conversationId;
           if (convId) {
-            const assistantTimestamp = (/* @__PURE__ */ new Date()).toISOString();
             persistMessage(convId, "user", fullMessage, accountId, void 0, userTimestamp).catch(() => {
             });
             autoLabelSession(convId, fullMessage).catch(() => {
             });
             if (responseText) persistMessage(convId, "assistant", responseText, accountId, capturedTokens, assistantTimestamp).catch(() => {
             });
-          } else if (sessionKey) {
-            console.warn(`[persist] skipped: no conversationId for sessionKey=${sessionKey.slice(0, 12)}\u2026 (session registered=${sessionStore.has(sessionKey)})`);
+          } else {
+            bufferPendingTurn(sessionKey, { role: "user", content: fullMessage, timestamp: userTimestamp });
+            if (responseText) bufferPendingTurn(sessionKey, { role: "assistant", content: responseText, timestamp: assistantTimestamp, tokens: capturedTokens });
+            const flushedId = await maybeFlushConversationBuffer(sessionKey, "admin", accountId);
+            if (flushedId) {
+              autoLabelSession(flushedId, fullMessage).catch(() => {
+              });
+              yield { type: "conversation_attributed", conversationId: flushedId };
+            }
           }
           const commitSession = sessionStore.get(sessionKey);
           if (commitSession?.pendingCommitmentOffers && commitSession.pendingCommitmentOffers.length > 0) {
@@ -9712,10 +9892,14 @@ async function* invokePublicAgent(message, systemPrompt, accountId, accountDir,
     return;
   }
   const publicConvId = sessionKey ? getConversationIdForSession(sessionKey) : void 0;
-  if (!publicConvId) {
-    throw new Error(`invokePublicAgent: conversationId missing for sessionKey=${sessionKey?.slice(0, 8) ?? "none"} \u2014 ensureConversation must run first`);
+  if (!publicConvId && sessionKey && getPendingTurnCount(sessionKey) >= 2) {
+    throw new Error(`invokePublicAgent: conversationId missing post-flush for sessionKey=${sessionKey.slice(0, 8)} \u2014 maybeFlushConversationBuffer must bind it first`);
+  }
+  const publicLogKey = publicConvId ?? (sessionKey ? preflushStreamLogKey(sessionKey) : void 0);
+  if (!publicLogKey) {
+    throw new Error(`invokePublicAgent: sessionKey required \u2014 cannot resolve log stream without one`);
   }
-  const streamLog = agentLogStream("public-agent-stream", accountDir, publicConvId);
+  const streamLog = agentLogStream("public-agent-stream", accountDir, publicLogKey);
   streamLog.write(`[${isoTs()}] [public-user-message] ${JSON.stringify(message)}
 `);
   if (sessionKey) {
@@ -9952,10 +10136,10 @@ User messages are prefixed with the sender's name in brackets. Address participa
 `);
     }
     const conversationId = sessionKey ? sessionStore.get(sessionKey)?.conversationId : void 0;
+    const assistantTimestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const sess = sessionKey ? sessionStore.get(sessionKey) : void 0;
+    const sender = sess?.groupSlug && sess.visitorId && sess.senderDisplayName ? { visitorId: sess.visitorId, displayName: sess.senderDisplayName } : void 0;
     if (conversationId) {
-      const assistantTimestamp = (/* @__PURE__ */ new Date()).toISOString();
-      const sess = sessionKey ? sessionStore.get(sessionKey) : void 0;
-      const sender = sess?.groupSlug && sess.visitorId && sess.senderDisplayName ? { visitorId: sess.visitorId, displayName: sess.senderDisplayName } : void 0;
       persistMessage(conversationId, "user", message, accountId, void 0, userTimestamp, sender).catch(() => {
       });
       autoLabelSession(conversationId, message).catch(() => {
@@ -9963,7 +10147,14 @@ User messages are prefixed with the sender's name in brackets. Address participa
       if (fullText) persistMessage(conversationId, "assistant", fullText, accountId, void 0, assistantTimestamp).catch(() => {
       });
     } else if (sessionKey) {
-      console.warn(`[persist] skipped: no conversationId for sessionKey=${sessionKey.slice(0, 12)}\u2026 (session registered=${sessionStore.has(sessionKey)})`);
+      bufferPendingTurn(sessionKey, { role: "user", content: message, timestamp: userTimestamp, sender });
+      if (fullText) bufferPendingTurn(sessionKey, { role: "assistant", content: fullText, timestamp: assistantTimestamp });
+      const flushedId = await maybeFlushConversationBuffer(sessionKey, "public", accountId);
+      if (flushedId) {
+        autoLabelSession(flushedId, message).catch(() => {
+        });
+        yield { type: "conversation_attributed", conversationId: flushedId };
+      }
     }
     streamLog.end();
   }
@@ -10122,7 +10313,7 @@ ${sessionContext}`;
       const skillPath = resolve5(PLATFORM_ROOT3, "plugins/admin/skills/onboarding/SKILL.md");
       let skillContent = "";
       try {
-        skillContent = readFileSync6(skillPath, "utf-8");
+        skillContent = readFileSync7(skillPath, "utf-8");
       } catch (err) {
         console.error(`[onboarding-inject] accountId=${accountId.slice(0, 8)}\u2026 error=skill-read-failed path=${skillPath} reason=${err instanceof Error ? err.message : String(err)}`);
       }
@@ -10174,13 +10365,23 @@ ${manifest}`;
     }
     const graphRefPath = resolve5(PLATFORM_ROOT3, "plugins/memory/references/graph-primitives.md");
     try {
-      const graphRef = readFileSync6(graphRefPath, "utf-8");
+      const graphRef = readFileSync7(graphRefPath, "utf-8");
       baseSystemPrompt += `
 
 ${graphRef}`;
     } catch (err) {
       console.error(`[graph-primitives] reference missing at ${graphRefPath} \u2014 admin session will have no Cypher cookbook: ${err instanceof Error ? err.message : String(err)}`);
     }
+    const schemaCypherPath = resolve5(PLATFORM_ROOT3, "neo4j/schema.cypher");
+    const schemaBlock = loadAdminSchemaBlock(schemaCypherPath);
+    if (schemaBlock) {
+      baseSystemPrompt += `
+
+${schemaBlock.text}`;
+      console.log(
+        `[admin-identity] schemaBlockBytes=${schemaBlock.bytes} labels=${schemaBlock.labelCount} relationshipTypes=${schemaBlock.relationshipTypeCount}`
+      );
+    }
   }
   if (agentConfig?.budget) {
     const pluginTokens = embeddedPlugins.reduce((sum, p) => sum + estimateTokens(p.body), 0);
@@ -10260,7 +10461,7 @@ Current session key: ${sessionKey}` : systemPromptBase;
 
 ${gwParts.join("\n")}`;
   }
-  if (sessionKey) {
+  if (sessionKey && isDmChannelSessionKey(sessionKey)) {
     try {
       await ensureConversation(accountId, agentType, sessionKey, void 0, void 0, sessionUserId);
     } catch (err) {
@@ -10389,7 +10590,7 @@ var clientIpMiddleware = async (c, next) => {
 };
 
 // server/routes/health.ts
-import { existsSync as existsSync10, readFileSync as readFileSync11 } from "fs";
+import { existsSync as existsSync10, readFileSync as readFileSync12 } from "fs";
 import { createConnection as createConnection2 } from "net";
 
 // app/lib/network.ts
@@ -10414,7 +10615,7 @@ function getLanIp() {
 import { basename as basename2 } from "path";
 
 // app/lib/review-detector/rules.ts
-import { readFileSync as readFileSync7, writeFileSync as writeFileSync6, existsSync as existsSync6, statSync as statSync4, mkdirSync as mkdirSync5, renameSync as renameSync2 } from "fs";
+import { readFileSync as readFileSync8, writeFileSync as writeFileSync6, existsSync as existsSync6, statSync as statSync4, mkdirSync as mkdirSync5, renameSync as renameSync2 } from "fs";
 import { resolve as resolve6, dirname as dirname3 } from "path";
 var DEFAULT_SCAN_INTERVAL_MS = 5e3;
 var RATE_LIMIT_PATTERN = "rate[- ]?limit(?:ed| reached| hit)|(?:HTTP|status)[^a-z]{0,3}429|too many requests";
@@ -10862,7 +11063,7 @@ function loadRules(configDir2) {
   if (!existsSync6(path2)) {
     throw new Error(`rules file missing at ${path2}`);
   }
-  const raw2 = readFileSync7(path2, "utf-8");
+  const raw2 = readFileSync8(path2, "utf-8");
   let parsed;
   try {
     parsed = JSON.parse(raw2);
@@ -11027,7 +11228,7 @@ function validateRule(input, label, seenIds) {
 }
 
 // app/lib/review-detector/sources.ts
-import { existsSync as existsSync7, readdirSync as readdirSync3, statSync as statSync5, writeFileSync as writeFileSync7, renameSync as renameSync3, mkdirSync as mkdirSync6, openSync as openSync3, readSync as readSync3, closeSync as closeSync3, readFileSync as readFileSync8 } from "fs";
+import { existsSync as existsSync7, readdirSync as readdirSync3, statSync as statSync5, writeFileSync as writeFileSync7, renameSync as renameSync3, mkdirSync as mkdirSync6, openSync as openSync3, readSync as readSync3, closeSync as closeSync3, readFileSync as readFileSync9 } from "fs";
 import { resolve as resolve7, join as join4, basename, dirname as dirname4 } from "path";
 function tailStatePath(configDir2) {
   return resolve7(configDir2, "review-state.json");
@@ -11036,7 +11237,7 @@ function loadTailState(configDir2) {
   const path2 = tailStatePath(configDir2);
   if (!existsSync7(path2)) return {};
   try {
-    const raw2 = readFileSync8(path2, "utf-8");
+    const raw2 = readFileSync9(path2, "utf-8");
     const parsed = JSON.parse(raw2);
     if (!parsed || typeof parsed !== "object") return {};
     const clean = {};
@@ -11206,7 +11407,7 @@ function sourceKey(file) {
 }
 
 // app/lib/review-detector/writer.ts
-import { appendFileSync as appendFileSync2, existsSync as existsSync8, mkdirSync as mkdirSync7, readFileSync as readFileSync9, writeFileSync as writeFileSync8, renameSync as renameSync4, statSync as statSync6 } from "fs";
+import { appendFileSync as appendFileSync2, existsSync as existsSync8, mkdirSync as mkdirSync7, readFileSync as readFileSync10, writeFileSync as writeFileSync8, renameSync as renameSync4, statSync as statSync6 } from "fs";
 import { resolve as resolve8, dirname as dirname5 } from "path";
 import { randomUUID as randomUUID3 } from "crypto";
 function reviewLogPath(configDir2) {
@@ -11345,7 +11546,7 @@ function queueAlert(configDir2, accountId, match2) {
 async function drainPendingAlerts(configDir2) {
   const path2 = pendingAlertsPath(configDir2);
   if (!existsSync8(path2)) return { drained: 0, remaining: 0 };
-  const raw2 = readFileSync9(path2, "utf-8");
+  const raw2 = readFileSync10(path2, "utf-8");
   const lines = raw2.split("\n").filter((l) => l.trim().length > 0);
   if (lines.length === 0) return { drained: 0, remaining: 0 };
   const remaining = [];
@@ -12008,7 +12209,7 @@ var WhatsAppConfigSchema = z.object({
 });
 
 // app/lib/whatsapp/config-persist.ts
-import { readFileSync as readFileSync10, writeFileSync as writeFileSync9, existsSync as existsSync9 } from "fs";
+import { readFileSync as readFileSync11, writeFileSync as writeFileSync9, existsSync as existsSync9 } from "fs";
 import { resolve as resolve10, join as join5 } from "path";
 var TAG3 = "[whatsapp:config]";
 function configPath(accountDir) {
@@ -12017,7 +12218,7 @@ function configPath(accountDir) {
 function readConfig(accountDir) {
   const path2 = configPath(accountDir);
   if (!existsSync9(path2)) throw new Error(`account.json not found at ${path2}`);
-  return JSON.parse(readFileSync10(path2, "utf-8"));
+  return JSON.parse(readFileSync11(path2, "utf-8"));
 }
 function writeConfig(accountDir, config) {
   const path2 = configPath(accountDir);
@@ -14309,7 +14510,7 @@ app.get("/", async (c) => {
   let pinConfigured = false;
   try {
     if (existsSync10(USERS_FILE)) {
-      const raw2 = readFileSync11(USERS_FILE, "utf-8").trim();
+      const raw2 = readFileSync12(USERS_FILE, "utf-8").trim();
       if (raw2) {
         const users = JSON.parse(raw2);
         pinConfigured = Array.isArray(users) && users.length > 0;
@@ -14665,8 +14866,6 @@ app2.post("/", async (c) => {
   const newVisitorId = visitorId ?? crypto.randomUUID();
   const sessionKey = crypto.randomUUID();
   registerSession(sessionKey, "public", accountId, agentSlug);
-  ensureConversation(accountId, "public", sessionKey, newVisitorId, agentSlug).catch(() => {
-  });
   const hasImage = agentConfig?.image ? "yes" : "no";
   console.log(`[session] new-session visitor=${newVisitorId.slice(0, 8)}\u2026 session=${sessionKey.slice(0, 8)}\u2026 agent=${agentSlug} image=${hasImage} showAgentName=${agentConfig?.showAgentName ?? false}`);
   return withVisitorCookie(
@@ -15428,7 +15627,7 @@ var group_default = app4;
 
 // app/lib/access-gate.ts
 import neo4j2 from "neo4j-driver";
-import { readFileSync as readFileSync12 } from "fs";
+import { readFileSync as readFileSync13 } from "fs";
 import { resolve as resolve13 } from "path";
 import { randomUUID as randomUUID7, randomInt } from "crypto";
 var PLATFORM_ROOT5 = process.env.MAXY_PLATFORM_ROOT ?? resolve13(process.cwd(), "..");
@@ -15437,7 +15636,7 @@ function readPassword2() {
   if (process.env.NEO4J_PASSWORD) return process.env.NEO4J_PASSWORD;
   const passwordFile = resolve13(PLATFORM_ROOT5, "config/.neo4j-password");
   try {
-    return readFileSync12(passwordFile, "utf-8").trim();
+    return readFileSync13(passwordFile, "utf-8").trim();
   } catch {
     throw new Error(
       `Neo4j password not found. Expected at ${passwordFile} or in NEO4J_PASSWORD env var.`
@@ -15748,7 +15947,7 @@ async function findActiveGrantByContact(contactValue, agentSlug, accountId) {
 }
 
 // app/lib/brevo-sms.ts
-import { readFileSync as readFileSync13, writeFileSync as writeFileSync11, mkdirSync as mkdirSync9, existsSync as existsSync12, chmodSync } from "fs";
+import { readFileSync as readFileSync14, writeFileSync as writeFileSync11, mkdirSync as mkdirSync9, existsSync as existsSync12, chmodSync } from "fs";
 import { dirname as dirname6 } from "path";
 import { resolve as resolve14 } from "path";
 var BREVO_API_KEY_FILE = resolve14(MAXY_DIR, ".brevo-api-key");
@@ -15760,7 +15959,7 @@ if (platformRoot) {
   try {
     const brandPath = resolve14(platformRoot, "config", "brand.json");
     if (existsSync12(brandPath)) {
-      const brand = JSON.parse(readFileSync13(brandPath, "utf-8"));
+      const brand = JSON.parse(readFileSync14(brandPath, "utf-8"));
       if (brand.productName) BREVO_SENDER = brand.productName;
     }
   } catch {
@@ -15768,7 +15967,7 @@ if (platformRoot) {
 }
 function readBrevoApiKey() {
   try {
-    const key = readFileSync13(BREVO_API_KEY_FILE, "utf-8").trim();
+    const key = readFileSync14(BREVO_API_KEY_FILE, "utf-8").trim();
     if (!key) {
       throw new Error(`Brevo API key file is empty: ${BREVO_API_KEY_FILE}`);
     }
@@ -16199,7 +16398,7 @@ app5.post("/send-otp", async (c) => {
 var access_default = app5;
 
 // server/routes/telegram.ts
-import { existsSync as existsSync13, readFileSync as readFileSync14 } from "fs";
+import { existsSync as existsSync13, readFileSync as readFileSync15 } from "fs";
 import { timingSafeEqual } from "crypto";
 
 // app/lib/telegram/access-control.ts
@@ -16237,7 +16436,7 @@ function getWebhookSecret(botType) {
   const filePath = botType === "admin" ? TELEGRAM_ADMIN_WEBHOOK_SECRET_FILE : TELEGRAM_WEBHOOK_SECRET_FILE;
   try {
     if (!existsSync13(filePath)) return null;
-    const secret = readFileSync14(filePath, "utf-8").trim();
+    const secret = readFileSync15(filePath, "utf-8").trim();
     return secret || null;
   } catch {
     return null;
@@ -16397,7 +16596,7 @@ var telegram_default = app6;
 // server/routes/whatsapp.ts
 import { join as join8, resolve as resolve15, basename as basename4 } from "path";
 import { readFile as readFile2, stat as stat3 } from "fs/promises";
-import { realpathSync as realpathSync2, readdirSync as readdirSync4, readFileSync as readFileSync15, existsSync as existsSync14 } from "fs";
+import { realpathSync as realpathSync2, readdirSync as readdirSync4, readFileSync as readFileSync16, existsSync as existsSync14 } from "fs";
 
 // app/lib/whatsapp/login.ts
 import { randomUUID as randomUUID8 } from "crypto";
@@ -16885,7 +17084,7 @@ app7.post("/config", async (c) => {
               const configPath2 = resolve15(agentsDir, entry.name, "config.json");
               if (!existsSync14(configPath2)) continue;
               try {
-                const config = JSON.parse(readFileSync15(configPath2, "utf-8"));
+                const config = JSON.parse(readFileSync16(configPath2, "utf-8"));
                 agents.push({ slug: entry.name, displayName: config.displayName ?? entry.name });
               } catch {
                 console.error(`${TAG18} config action=list-public-agents error="failed to parse config.json for agent ${entry.name}" \u2014 skipping`);
@@ -17097,7 +17296,7 @@ var whatsapp_default = app7;
 
 // server/routes/onboarding.ts
 import { spawn as spawn3, execFileSync as execFileSync2 } from "child_process";
-import { openSync as openSync4, closeSync as closeSync4, writeFileSync as writeFileSync12, writeSync, existsSync as existsSync15, mkdirSync as mkdirSync10, readFileSync as readFileSync16, unlinkSync as unlinkSync4 } from "fs";
+import { openSync as openSync4, closeSync as closeSync4, writeFileSync as writeFileSync12, writeSync, existsSync as existsSync15, mkdirSync as mkdirSync10, readFileSync as readFileSync17, unlinkSync as unlinkSync4 } from "fs";
 import { resolve as resolve16, dirname as dirname7 } from "path";
 import { createHash, randomUUID as randomUUID9 } from "crypto";
 var PLATFORM_ROOT7 = process.env.MAXY_PLATFORM_ROOT || "";
@@ -17106,7 +17305,7 @@ function hashPin(pin) {
 }
 function readUsersFile() {
   if (!existsSync15(USERS_FILE)) return null;
-  const raw2 = readFileSync16(USERS_FILE, "utf-8").trim();
+  const raw2 = readFileSync17(USERS_FILE, "utf-8").trim();
   if (!raw2) return [];
   return JSON.parse(raw2);
 }
@@ -17217,7 +17416,7 @@ app8.post("/set-pin", async (c) => {
   const account = resolveAccount();
   if (account) {
     try {
-      const config = JSON.parse(readFileSync16(`${account.accountDir}/account.json`, "utf-8"));
+      const config = JSON.parse(readFileSync17(`${account.accountDir}/account.json`, "utf-8"));
       if (!config.admins) config.admins = [];
       if (!config.admins.some((a) => a.userId === userId)) {
         config.admins.push({ userId, role: "owner" });
@@ -17275,7 +17474,7 @@ app8.post("/skip", async (c) => {
   const brandPath = PLATFORM_ROOT7 ? resolve16(PLATFORM_ROOT7, "config", "brand.json") : "";
   if (brandPath && existsSync15(brandPath)) {
     try {
-      const brand = JSON.parse(readFileSync16(brandPath, "utf-8"));
+      const brand = JSON.parse(readFileSync17(brandPath, "utf-8"));
       if (brand.productName) agentName = brand.productName;
     } catch (err) {
       console.error(`[onboarding-skip] brand.json read failed: ${err instanceof Error ? err.message : String(err)}`);
@@ -17469,14 +17668,14 @@ app9.post("/", async (c) => {
 var client_error_default = app9;
 
 // server/routes/admin/session.ts
-import { readFileSync as readFileSync17, existsSync as existsSync17 } from "fs";
+import { readFileSync as readFileSync18, existsSync as existsSync17 } from "fs";
 import { createHash as createHash2 } from "crypto";
 function hashPin2(pin) {
   return createHash2("sha256").update(pin).digest("hex");
 }
 function readUsersFile2() {
   if (!existsSync17(USERS_FILE)) return null;
-  const raw2 = readFileSync17(USERS_FILE, "utf-8").trim();
+  const raw2 = readFileSync18(USERS_FILE, "utf-8").trim();
   if (!raw2) return [];
   return JSON.parse(raw2);
 }
@@ -17498,11 +17697,7 @@ async function createAdminSession(accountId, thinkingView, userId, userName) {
     businessName = branding?.name || void 0;
   } catch {
   }
-  let conversationId = null;
-  if (userId) {
-    conversationId = await createNewAdminConversation(userId, accountId, sessionKey);
-  }
-  console.log(`[session] ${(/* @__PURE__ */ new Date()).toISOString()} admin session created: userId=${userId ?? "\u2013"} userName=${userName ?? "\u2013"} accountId=${accountId} conversationId=${conversationId?.slice(0, 8) ?? "\u2013"} sessionKey=${sessionKey.slice(0, 8)}`);
+  console.log(`[session] ${(/* @__PURE__ */ new Date()).toISOString()} admin session created: userId=${userId ?? "\u2013"} userName=${userName ?? "\u2013"} accountId=${accountId} conversationId=deferred sessionKey=${sessionKey.slice(0, 8)}`);
   return {
     session_key: sessionKey,
     agent_id: "admin",
@@ -17511,7 +17706,7 @@ async function createAdminSession(accountId, thinkingView, userId, userName) {
     thinkingView: effectiveThinkingView,
     onboardingComplete,
     businessName,
-    conversationId
+    conversationId: null
   };
 }
 var app10 = new Hono2();
@@ -18176,7 +18371,7 @@ app12.post("/", requireAdminSession, async (c) => {
 var compact_default = app12;
 
 // server/routes/admin/logs.ts
-import { existsSync as existsSync18, readdirSync as readdirSync5, readFileSync as readFileSync18, statSync as statSync9 } from "fs";
+import { existsSync as existsSync18, readdirSync as readdirSync5, readFileSync as readFileSync19, statSync as statSync9 } from "fs";
 import { resolve as resolve18, basename as basename5 } from "path";
 var TAIL_BYTES = 8192;
 var app13 = new Hono2();
@@ -18195,7 +18390,7 @@ app13.get("/", async (c) => {
       const filePath = resolve18(dir, safe);
       searched.push(filePath);
       try {
-        const content = readFileSync18(filePath, "utf-8");
+        const content = readFileSync19(filePath, "utf-8");
         const headers = { "Content-Type": "text/plain; charset=utf-8" };
         if (download) headers["Content-Disposition"] = `attachment; filename="${safe}"`;
         return new Response(content, { headers });
@@ -18237,7 +18432,7 @@ app13.get("/", async (c) => {
       const filePath = resolve18(dir, fileName);
       searched.push(filePath);
       try {
-        const content = readFileSync18(filePath, "utf-8");
+        const content = readFileSync19(filePath, "utf-8");
         const headers = { "Content-Type": "text/plain; charset=utf-8" };
         if (download) headers["Content-Disposition"] = `attachment; filename="${fileName}"`;
         return new Response(content, { headers });
@@ -18264,7 +18459,7 @@ app13.get("/", async (c) => {
     files.filter((f) => !seen.has(f)).map((f) => ({ name: f, mtime: statSync9(resolve18(dir, f)).mtimeMs })).sort((a, b) => b.mtime - a.mtime).forEach(({ name }) => {
       seen.add(name);
       try {
-        const content = readFileSync18(resolve18(dir, name));
+        const content = readFileSync19(resolve18(dir, name));
         const tail = content.length > TAIL_BYTES ? content.subarray(content.length - TAIL_BYTES).toString("utf-8") : content.toString("utf-8");
         logs[name] = tail.trim() || "(empty)";
       } catch (err) {
@@ -18349,7 +18544,7 @@ app15.get("/:attachmentId", requireAdminSession, async (c) => {
 var attachment_default = app15;
 
 // server/routes/admin/account.ts
-import { readFileSync as readFileSync19, writeFileSync as writeFileSync13 } from "fs";
+import { readFileSync as readFileSync20, writeFileSync as writeFileSync13 } from "fs";
 import { resolve as resolve20 } from "path";
 var VALID_CONTEXT_MODES = ["managed", "claude-code"];
 var app16 = new Hono2();
@@ -18368,7 +18563,7 @@ app16.patch("/", requireAdminSession, async (c) => {
   if (!account) return c.json({ error: "No account configured" }, 500);
   const configPath2 = resolve20(account.accountDir, "account.json");
   try {
-    const raw2 = readFileSync19(configPath2, "utf-8");
+    const raw2 = readFileSync20(configPath2, "utf-8");
     const config = JSON.parse(raw2);
     config.contextMode = contextMode;
     writeFileSync13(configPath2, JSON.stringify(config, null, 2) + "\n", "utf-8");
@@ -18383,7 +18578,7 @@ var account_default = app16;
 
 // server/routes/admin/agents.ts
 import { resolve as resolve21 } from "path";
-import { readdirSync as readdirSync6, readFileSync as readFileSync20, existsSync as existsSync20, rmSync as rmSync3 } from "fs";
+import { readdirSync as readdirSync6, readFileSync as readFileSync21, existsSync as existsSync20, rmSync as rmSync3 } from "fs";
 var app17 = new Hono2();
 app17.get("/", (c) => {
   const account = resolveAccount();
@@ -18399,7 +18594,7 @@ app17.get("/", (c) => {
       const configPath2 = resolve21(agentsDir, entry.name, "config.json");
       if (!existsSync20(configPath2)) continue;
       try {
-        const config = JSON.parse(readFileSync20(configPath2, "utf-8"));
+        const config = JSON.parse(readFileSync21(configPath2, "utf-8"));
         agents.push({
           slug: entry.name,
           displayName: config.displayName ?? entry.name,
@@ -18441,7 +18636,7 @@ app17.delete("/:slug", (c) => {
 var agents_default = app17;
 
 // server/routes/admin/version.ts
-import { existsSync as existsSync21, readFileSync as readFileSync21 } from "fs";
+import { existsSync as existsSync21, readFileSync as readFileSync22 } from "fs";
 import { resolve as resolve22, join as join10 } from "path";
 var PLATFORM_ROOT8 = process.env.MAXY_PLATFORM_ROOT ?? resolve22(process.cwd(), "..");
 var brandHostname = "maxy";
@@ -18449,7 +18644,7 @@ var brandNpmPackage = "@rubytech/create-maxy";
 var brandJsonPath = join10(PLATFORM_ROOT8, "config", "brand.json");
 if (existsSync21(brandJsonPath)) {
   try {
-    const brand = JSON.parse(readFileSync21(brandJsonPath, "utf-8"));
+    const brand = JSON.parse(readFileSync22(brandJsonPath, "utf-8"));
     if (brand.hostname) brandHostname = brand.hostname;
     if (brand.npm?.packageName) brandNpmPackage = brand.npm.packageName;
   } catch {
@@ -18461,7 +18656,7 @@ var REGISTRY_URL = `https://registry.npmjs.org/${NPM_PACKAGE}/latest`;
 var FETCH_TIMEOUT_MS = 5e3;
 function readInstalled() {
   if (!existsSync21(VERSION_FILE)) return "unknown";
-  const content = readFileSync21(VERSION_FILE, "utf-8").trim();
+  const content = readFileSync22(VERSION_FILE, "utf-8").trim();
   return content || "unknown";
 }
 async function fetchLatest() {
@@ -18571,16 +18766,10 @@ app19.post("/new", requireAdminSession, async (c) => {
   const newSessionKey = crypto3.randomUUID();
   const userName = getUserNameForSession(oldSessionKey);
   registerSession(newSessionKey, "admin", accountId, void 0, userId, userName);
-  const conversationId = await createNewAdminConversation(userId, accountId, newSessionKey);
-  if (!conversationId) {
-    unregisterSession(newSessionKey);
-    console.error(`[session] ${(/* @__PURE__ */ new Date()).toISOString()} new-conversation-failed: userId=${userId} accountId=${accountId.slice(0, 8)}\u2026 oldSessionKey=${oldSessionKey.slice(0, 8)}\u2026 newSessionKey=${newSessionKey.slice(0, 8)}\u2026`);
-    return c.json({ error: "Failed to create conversation" }, 500);
-  }
   const previousConversationId = clearSessionHistory(oldSessionKey);
   unregisterSession(oldSessionKey);
-  console.log(`[session] ${(/* @__PURE__ */ new Date()).toISOString()} session reset for new conversation: oldSessionKey=${oldSessionKey.slice(0, 8)}\u2026 newSessionKey=${newSessionKey.slice(0, 8)}\u2026 previousConversationId=${previousConversationId?.slice(0, 8) ?? "none"}\u2026 newConversationId=${conversationId.slice(0, 8)}\u2026`);
-  return c.json({ session_key: newSessionKey, conversationId });
+  console.log(`[session] ${(/* @__PURE__ */ new Date()).toISOString()} session reset for new conversation: oldSessionKey=${oldSessionKey.slice(0, 8)}\u2026 newSessionKey=${newSessionKey.slice(0, 8)}\u2026 previousConversationId=${previousConversationId?.slice(0, 8) ?? "none"}\u2026 newConversationId=deferred`);
+  return c.json({ session_key: newSessionKey, conversationId: null });
 });
 app19.delete("/:id", requireAdminSession, async (c) => {
   const conversationId = c.req.param("id");
@@ -18956,7 +19145,7 @@ var events_default = app23;
 // server/routes/admin/cloudflare.ts
 import { homedir as homedir3 } from "os";
 import { resolve as resolve24 } from "path";
-import { readFileSync as readFileSync23 } from "fs";
+import { readFileSync as readFileSync24 } from "fs";
 
 // app/lib/dns-label.ts
 var VALID_LABEL = /^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$/;
@@ -18972,14 +19161,14 @@ function isValidDomain(value) {
 }
 
 // app/lib/alias-domains.ts
-import { existsSync as existsSync22, mkdirSync as mkdirSync12, readFileSync as readFileSync22, writeFileSync as writeFileSync14 } from "fs";
+import { existsSync as existsSync22, mkdirSync as mkdirSync12, readFileSync as readFileSync23, writeFileSync as writeFileSync14 } from "fs";
 import { dirname as dirname9 } from "path";
 import { resolve as resolve23 } from "path";
 var ALIAS_DOMAINS_PATH = resolve23(MAXY_DIR, "alias-domains.json");
 function readExisting() {
   if (!existsSync22(ALIAS_DOMAINS_PATH)) return /* @__PURE__ */ new Set();
   try {
-    const parsed = JSON.parse(readFileSync22(ALIAS_DOMAINS_PATH, "utf-8"));
+    const parsed = JSON.parse(readFileSync23(ALIAS_DOMAINS_PATH, "utf-8"));
     if (!Array.isArray(parsed)) return /* @__PURE__ */ new Set();
     return new Set(parsed.filter((h) => typeof h === "string"));
   } catch {
@@ -19001,7 +19190,7 @@ function loadBrandInfo() {
   const platformRoot2 = process.env.MAXY_PLATFORM_ROOT ?? resolve24(process.cwd(), "..");
   const brandPath = resolve24(platformRoot2, "config", "brand.json");
   try {
-    const parsed = JSON.parse(readFileSync23(brandPath, "utf-8"));
+    const parsed = JSON.parse(readFileSync24(brandPath, "utf-8"));
     const hostname2 = typeof parsed.hostname === "string" && parsed.hostname ? parsed.hostname : "maxy";
     const configDir2 = typeof parsed.configDir === "string" && parsed.configDir ? parsed.configDir : ".maxy";
     return { hostname: hostname2, configDir: configDir2 };
@@ -19404,25 +19593,72 @@ async function trashNode(params) {
   const setNullClauses = Object.keys(originalKeys).map((k) => `n.\`${k}\` = null`).join(", ");
   const setNullSuffix = setNullClauses ? `, ${setNullClauses}` : "";
   const trashedAt = (/* @__PURE__ */ new Date()).toISOString();
-  await session.run(
-    `MATCH (n) WHERE elementId(n) = $eid
-     SET n:Trashed,
-         n.trashedAt = datetime($trashedAt),
-         n.trashedBy = $by,
-         n.trashReason = $reason,
-         n._trashedKeys = $trashedKeysJson${setNullSuffix}`,
-    {
-      eid: elementId,
-      trashedAt,
-      by,
-      reason: reason ?? null,
-      trashedKeysJson: JSON.stringify(originalKeys)
+  const isConversation = baseLabels.includes("Conversation");
+  const messageUniqueKeys = UNIQUE_KEYS_BY_LABEL["Message"] ?? [];
+  let cascadedMessageCount = 0;
+  await session.executeWrite(async (tx) => {
+    await tx.run(
+      `MATCH (n) WHERE elementId(n) = $eid
+       SET n:Trashed,
+           n.trashedAt = datetime($trashedAt),
+           n.trashedBy = $by,
+           n.trashReason = $reason,
+           n._trashedKeys = $trashedKeysJson${setNullSuffix}`,
+      {
+        eid: elementId,
+        trashedAt,
+        by,
+        reason: reason ?? null,
+        trashedKeysJson: JSON.stringify(originalKeys)
+      }
+    );
+    if (isConversation) {
+      const collectKeys = messageUniqueKeys.length > 0 ? messageUniqueKeys.map((k) => `\`${k}\`: m.\`${k}\``).join(", ") : "";
+      const collectMsgProps = collectKeys ? `, {${collectKeys}}` : ", {}";
+      const collected = await tx.run(
+        `MATCH (c) WHERE elementId(c) = $eid
+         MATCH (m:Message)-[:PART_OF]->(c)
+         WHERE NOT m:Trashed
+         RETURN elementId(m) AS meid${collectMsgProps} AS keys`,
+        { eid: elementId }
+      );
+      for (const rec of collected.records) {
+        const meid = rec.get("meid");
+        const keys = rec.get("keys");
+        const liveKeys = {};
+        for (const k of messageUniqueKeys) {
+          if (keys[k] !== void 0 && keys[k] !== null) liveKeys[k] = keys[k];
+        }
+        const msgSetNulls = Object.keys(liveKeys).length > 0 ? ", " + Object.keys(liveKeys).map((k) => `m.\`${k}\` = null`).join(", ") : "";
+        await tx.run(
+          `MATCH (m) WHERE elementId(m) = $meid
+           SET m:Trashed,
+               m.trashedAt = datetime($trashedAt),
+               m.trashedBy = $by,
+               m.trashReason = $reason,
+               m._trashedKeys = $trashedKeysJson${msgSetNulls}`,
+          {
+            meid,
+            trashedAt,
+            by: `${by}:cascade-from-conversation`,
+            reason: reason ?? `cascade from Conversation ${elementId}`,
+            trashedKeysJson: JSON.stringify(liveKeys)
+          }
+        );
+      }
+      cascadedMessageCount = collected.records.length;
     }
-  );
+  });
   process.stderr.write(
     `[trash:marked] accountId=${accountId} elementId=${elementId} labels=${baseLabels.join(",")} by=${by} reason=${reason ?? "null"}
 `
   );
+  if (isConversation) {
+    process.stderr.write(
+      `[trash:cascaded] accountId=${accountId} conversationElementId=${elementId} messageCount=${cascadedMessageCount} by=${by}
+`
+    );
+  }
   return {
     trashed: true,
     alreadyTrashed: false,
@@ -19473,16 +19709,50 @@ async function restoreNode(params) {
   const setSuffix = setClauses ? `, ${setClauses}` : "";
   const setParams = { eid: elementId };
   for (const [k, v] of Object.entries(originalKeys)) setParams[`val_${k}`] = v;
-  await session.run(
-    `MATCH (n:Trashed) WHERE elementId(n) = $eid
-     REMOVE n:Trashed, n.trashedAt, n.trashedBy, n.trashReason, n._trashedKeys
-     SET n.restoredAt = datetime()${setSuffix}`,
-    setParams
-  );
+  const isConversation = baseLabels.includes("Conversation");
+  let cascadedMessageCount = 0;
+  await session.executeWrite(async (tx) => {
+    await tx.run(
+      `MATCH (n:Trashed) WHERE elementId(n) = $eid
+       REMOVE n:Trashed, n.trashedAt, n.trashedBy, n.trashReason, n._trashedKeys
+       SET n.restoredAt = datetime()${setSuffix}`,
+      setParams
+    );
+    if (isConversation) {
+      const collected = await tx.run(
+        `MATCH (c) WHERE elementId(c) = $eid
+         MATCH (m:Trashed:Message)-[:PART_OF]->(c)
+         WHERE m.trashedBy ENDS WITH ':cascade-from-conversation'
+         RETURN elementId(m) AS meid, m._trashedKeys AS keysJson`,
+        { eid: elementId }
+      );
+      for (const rec of collected.records) {
+        const meid = rec.get("meid");
+        const keysJson2 = rec.get("keysJson");
+        const keys = keysJson2 ? JSON.parse(keysJson2) : {};
+        const setClause = Object.keys(keys).length > 0 ? ", " + Object.keys(keys).map((k) => `m.\`${k}\` = $val_${k}`).join(", ") : "";
+        const msgParams = { meid };
+        for (const [k, v] of Object.entries(keys)) msgParams[`val_${k}`] = v;
+        await tx.run(
+          `MATCH (m) WHERE elementId(m) = $meid
+           REMOVE m:Trashed, m.trashedAt, m.trashedBy, m.trashReason, m._trashedKeys
+           SET m.restoredAt = datetime()${setClause}`,
+          msgParams
+        );
+      }
+      cascadedMessageCount = collected.records.length;
+    }
+  });
   process.stderr.write(
     `[trash:restored] accountId=${accountId} elementId=${elementId} labels=${baseLabels.join(",")}
 `
   );
+  if (isConversation) {
+    process.stderr.write(
+      `[trash:cascade-restored] accountId=${accountId} conversationElementId=${elementId} messageCount=${cascadedMessageCount}
+`
+    );
+  }
   return {
     restored: true,
     nodeId: elementId,
@@ -19940,24 +20210,35 @@ var GRAPH_LABEL_COLOURS = {
   Review: "#059669",
   ImageObject: "#6EE7B7",
   // Conversational
+  //
+  // Task 649 palette — the four sublabelled conversation/message labels
+  // (AdminConversation, PublicConversation, UserMessage, AssistantMessage)
+  // are assigned four pairwise-distinguishable hues: indigo / purple /
+  // orange / yellow. The Task 633 violet-shade split (darker for admin,
+  // lighter for public) was indistinguishable on canvas and in the legend;
+  // hue-shift replaces lightness-shift.
+  //
+  // Constraints honoured:
+  //   - Pairwise distinct among the four in-family labels.
+  //   - UserMessage=#F97316 reserved (Person/Preference orange cue) —
+  //     the other three are non-orange.
+  //   - No collision with Task/Project/Event pinks (#DB2777/#BE185D/#EC4899),
+  //     Knowledge greens, Workflow cyans, LocalBusiness blues.
+  //   - Conversation base (#7C3AED) kept as pre-backfill fallback for
+  //     nodes that pre-date the AdminConversation/PublicConversation split.
+  //   - Message base reassigned away from old #A78BFA to avoid near-
+  //     collision with the new PublicConversation=#A855F7; slate signals
+  //     "legacy/system/tool" — nodes carrying only :Message without a
+  //     role-sublabel.
+  //   - Out of family (intentionally not touched): OnboardingState=#8B5CF6
+  //     sits in the violet neighbourhood; palette reassignment outside
+  //     the conversation/message family is out of scope for Task 649.
   Conversation: "#7C3AED",
-  // Task 633 — admin vs public disambiguation on /graph. Darker violet for
-  // admin conversations (the operator-facing side), lighter for public
-  // (customer-facing) so the operator can read chat topology by colour
-  // alone. Both within the Conversation family — the hue shift is subtle
-  // enough to stay legible on adjacent nodes yet distinct enough to be
-  // unmistakable in the popover legend.
-  AdminConversation: "#5B21B6",
-  PublicConversation: "#A78BFA",
-  Message: "#A78BFA",
-  // Task 633 — user vs assistant disambiguation on /graph. UserMessage
-  // picks up the Person/Preference orange family cue (the user is a
-  // person); AssistantMessage stays violet-adjacent to reinforce the
-  // AdminConversation cue (both are admin-side). system/tool Messages
-  // (not written by the persist path today; reserved shape) stay on the
-  // base `:Message` colour.
+  AdminConversation: "#4338CA",
+  PublicConversation: "#A855F7",
+  Message: "#64748B",
   UserMessage: "#F97316",
-  AssistantMessage: "#8B5CF6",
+  AssistantMessage: "#FACC15",
   ToolCall: "#C4B5FD",
   // Tasks / projects / events
   Task: "#DB2777",
@@ -20729,7 +21010,7 @@ if (BRAND_JSON_PATH && !existsSync23(BRAND_JSON_PATH)) {
 }
 if (BRAND_JSON_PATH && existsSync23(BRAND_JSON_PATH)) {
   try {
-    const parsed = JSON.parse(readFileSync24(BRAND_JSON_PATH, "utf-8"));
+    const parsed = JSON.parse(readFileSync25(BRAND_JSON_PATH, "utf-8"));
     BRAND = { ...BRAND, ...parsed };
   } catch (err) {
     console.error(`[brand] Failed to parse brand.json: ${err.message}`);
@@ -20752,7 +21033,7 @@ var ALIAS_DOMAINS_PATH2 = join12(homedir4(), BRAND.configDir, "alias-domains.jso
 function loadAliasDomains() {
   try {
     if (!existsSync23(ALIAS_DOMAINS_PATH2)) return null;
-    const parsed = JSON.parse(readFileSync24(ALIAS_DOMAINS_PATH2, "utf-8"));
+    const parsed = JSON.parse(readFileSync25(ALIAS_DOMAINS_PATH2, "utf-8"));
     if (!Array.isArray(parsed)) {
       console.error("[alias-domains] malformed alias-domains.json \u2014 expected array");
       return null;
@@ -20877,10 +21158,7 @@ app35.post("/__remote-auth/login", async (c) => {
     }
   });
 });
-app35.get("/__remote-auth/logout", (c) => {
-  const cookieHeader = c.req.header("cookie");
-  const token = parseCookie(cookieHeader, "__remote_session");
-  if (token) invalidateRemoteSession(token);
+app35.get("/__remote-auth/logout", () => {
   return new Response(null, {
     status: 302,
     headers: {
@@ -21046,16 +21324,6 @@ app35.use("*", async (c, next) => {
   console.error(`[remote-auth] login required ip=${clientIp} path=${path2}`);
   return c.html(renderLoginPage({ ...resolveRemoteAuthOpts(), redirect: path2 }), 200);
 });
-function parseCookie(cookieHeader, name) {
-  if (!cookieHeader) return null;
-  const match2 = cookieHeader.match(new RegExp(`(?:^|;\\s*)${name}=([^;]*)`));
-  if (!match2) return null;
-  try {
-    return decodeURIComponent(match2[1]);
-  } catch {
-    return null;
-  }
-}
 app35.route("/api/health", health_default);
 app35.route("/api/session", session_default);
 app35.route("/api/chat", chat_default);
@@ -21105,7 +21373,7 @@ app35.get("/agent-assets/:slug/:filename", (c) => {
   const ext = "." + filename.split(".").pop()?.toLowerCase();
   const contentType = IMAGE_MIME[ext] || "application/octet-stream";
   console.log(`[agent-assets] serve slug=${slug} file=${filename} status=200`);
-  const body = readFileSync24(filePath);
+  const body = readFileSync25(filePath);
   return c.body(body, 200, {
     "Content-Type": contentType,
     "Cache-Control": "public, max-age=3600"
@@ -21135,7 +21403,7 @@ app35.get("/generated/:filename", (c) => {
   const ext = "." + filename.split(".").pop()?.toLowerCase();
   const contentType = IMAGE_MIME[ext] || "application/octet-stream";
   console.log(`[generated] serve file=${filename} status=200`);
-  const body = readFileSync24(filePath);
+  const body = readFileSync25(filePath);
   return c.body(body, 200, {
     "Content-Type": contentType,
     "Cache-Control": "public, max-age=86400"
@@ -21146,7 +21414,7 @@ var brandLogoPath = "/brand/maxy-monochrome.png";
 var brandIconPath = "/brand/maxy-monochrome.png";
 if (BRAND_JSON_PATH && existsSync23(BRAND_JSON_PATH)) {
   try {
-    const fullBrand = JSON.parse(readFileSync24(BRAND_JSON_PATH, "utf-8"));
+    const fullBrand = JSON.parse(readFileSync25(BRAND_JSON_PATH, "utf-8"));
     if (fullBrand.assets?.logo) brandLogoPath = `/brand/${fullBrand.assets.logo}`;
     brandIconPath = fullBrand.assets?.icon ? `/brand/${fullBrand.assets.icon}` : brandLogoPath;
   } catch {
@@ -21165,7 +21433,7 @@ function readInstalledVersion() {
     if (!PLATFORM_ROOT10) return "unknown";
     const versionFile = join12(PLATFORM_ROOT10, "config", `.${BRAND.hostname}-version`);
     if (!existsSync23(versionFile)) return "unknown";
-    const content = readFileSync24(versionFile, "utf-8").trim();
+    const content = readFileSync25(versionFile, "utf-8").trim();
     return content || "unknown";
   } catch {
     return "unknown";
@@ -21206,7 +21474,7 @@ var clientErrorReporterScript = `<script>
 function cachedHtml(file) {
   let html = htmlCache.get(file);
   if (!html) {
-    html = readFileSync24(resolve27(process.cwd(), "public", file), "utf-8");
+    html = readFileSync25(resolve27(process.cwd(), "public", file), "utf-8");
     html = html.replace("<title>Maxy</title>", `<title>${escapeHtml(BRAND.productName)}</title>`);
     html = html.replace('href="/favicon.ico"', `href="${escapeHtml(brandFaviconPath)}"`);
     const headInjection = file === "index.html" ? `${brandScript}
@@ -21225,12 +21493,12 @@ function loadBrandingCache(agentSlug) {
   try {
     const accountJsonPath = join12(configDir2, "account.json");
     if (!existsSync23(accountJsonPath)) return null;
-    const account = JSON.parse(readFileSync24(accountJsonPath, "utf-8"));
+    const account = JSON.parse(readFileSync25(accountJsonPath, "utf-8"));
     const accountId = account.accountId;
     if (!accountId) return null;
     const cachePath = join12(configDir2, "branding-cache", accountId, `${agentSlug}.json`);
     if (!existsSync23(cachePath)) return null;
-    return JSON.parse(readFileSync24(cachePath, "utf-8"));
+    return JSON.parse(readFileSync25(cachePath, "utf-8"));
   } catch {
     return null;
   }
@@ -21240,7 +21508,7 @@ function resolveDefaultSlug() {
     const configDir2 = join12(homedir4(), BRAND.configDir);
     const accountJsonPath = join12(configDir2, "account.json");
     if (!existsSync23(accountJsonPath)) return null;
-    const account = JSON.parse(readFileSync24(accountJsonPath, "utf-8"));
+    const account = JSON.parse(readFileSync25(accountJsonPath, "utf-8"));
     return account.defaultAgent || null;
   } catch {
     return null;
@@ -21313,7 +21581,7 @@ app35.use("/vnc-popout.html", logViewerFetch);
 app35.get("/vnc-popout.html", (c) => {
   let html = htmlCache.get("vnc-popout.html");
   if (!html) {
-    html = readFileSync24(resolve27(process.cwd(), "public", "vnc-popout.html"), "utf-8");
+    html = readFileSync25(resolve27(process.cwd(), "public", "vnc-popout.html"), "utf-8");
     const name = escapeHtml(BRAND.productName);
     html = html.replace("<title>Browser \u2014 Maxy</title>", `<title>${name}</title>`);
     html = html.replace("</head>", `  ${brandScript}
@@ -21404,7 +21672,7 @@ try {
   try {
     let userId = "";
     if (existsSync23(USERS_FILE)) {
-      const users = JSON.parse(readFileSync24(USERS_FILE, "utf-8").trim() || "[]");
+      const users = JSON.parse(readFileSync25(USERS_FILE, "utf-8").trim() || "[]");
       userId = users[0]?.userId ?? "";
     }
     await backfillNullUserIdConversations(userId);